The HIPAA Privacy Rule is the federal regulation at 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164 that establishes national standards for how HIPAA Covered Entities, and in certain cases Business Associates, may use and disclose protected health information and what rights individuals have over their protected health information.
The HIPAA Privacy Rule applies to health plans, most health care clearinghouses, and health care providers that transmit health information in electronic form in connection with covered transactions. The rule also applies to Business Associates through required contract terms and, for specified obligations, through direct regulatory requirements incorporated through the HIPAA Rules. Protected health information includes individually identifiable health information in any form or medium, with limited exclusions such as certain employment records held by a covered entity in its role as employer.
The HIPAA Privacy Rule permits uses and disclosures of protected health information for treatment, payment, and health care operations without patient authorization, subject to conditions and restrictions. The rule also permits or requires disclosures for public interest and benefit activities, such as disclosures required by law, public health activities, health oversight activities, judicial and administrative proceedings under specified conditions, and law enforcement purposes under specified conditions. When a use or disclosure is not permitted or required by the rule, the covered entity generally needs a valid HIPAA Authorization.
The HIPAA Minimum Necessary Rule applies to many uses, disclosures, and requests for protected health information, requiring a covered entity to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to disclosures for treatment, disclosures to the individual, uses or disclosures made pursuant to a valid authorization, and certain other specified categories.
The HIPAA Privacy Rule requires covered entities to provide a Notice of Privacy Practices that describes permitted uses and disclosures, individual rights, and the covered entity’s legal duties. Covered entities must implement written policies and procedures, train workforce members on those policies and procedures as necessary and appropriate for their functions, and apply sanctions against workforce members who fail to comply with the covered entity’s privacy policies and procedures.
Individual rights under the HIPAA Privacy Rule include the right to access protected health information in a designated record set, the right to request amendment of protected health information, and the right to receive an accounting of certain disclosures. The rule also provides rights to request restrictions on certain uses and disclosures, request confidential communications, and receive communications about breaches as required by the HIPAA Breach Notification Rule when unsecured protected health information is breached.
Compliance with the HIPAA Privacy Rule is enforced through investigations, compliance reviews, and resolution actions that can include corrective action plans, monitoring, and civil monetary penalties. Covered entities and business associates align privacy governance with the HIPAA Security Rule and the HIPAA Breach Notification Rule to address access controls, safeguards, incident response, and breach notification obligations that overlap with privacy requirements.
The Official Regulatory Text on the HIPAA Privacy Rule
45 CFR 164.502(a) is relevant because it states the central legal standard that the HIPAA Privacy Rule sets for uses and disclosures of protected health information. The regulation states “A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart.”
45 CFR 164.514(d)(1) is relevant because it establishes the minimum necessary framework that limits many uses, disclosures, and requests for protected health information under the HIPAA Privacy Rule. The regulation states “a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section” for “the use and disclosure of protected health information.”
45 CFR 164.520(b)(1)(v) is relevant because it requires a covered entity to describe privacy duties that the HIPAA Privacy Rule imposes, which is part of how the rule is operationalized for patients through the Notice of Privacy Practices. The regulation states “The notice must contain a statement that the covered entity is required by law to maintain the privacy of protected health information.”
45 CFR 164.524(a)(1) is relevant because it establishes the individual right of access that the HIPAA Privacy Rule grants for protected health information in a designated record set. The regulation states “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set.”